Continued advancements in hardware technology and software development are enabling computer systems and other electronic devices, such as personal digital assistants, electronic books, cellular phones, etc., to be utilized in a variety of different implementations and applications. Some implementations are financial and commercial transactions, computer-aided design, communication, data storage and warehousing, education, etc. Additionally, coupling stand-alone computers and other electronic devices to form a networking environment greatly enhances their functionality. In a network environment, users are able to exchange information, share commonly stored files, combine resources, communicate via e-mail (electronic mail) and via video conferencing. Further, with the advent of wireless communication, networked computers can communicate and exchange information with nearly any other computer or other electronic device without having to be physically connected via a wired configuration.
In a wireless environment, there is a wireless client and an access point. The communication between the client and the access point is transmitted over public air space, so the communication is visible to anyone within range. In order to protect the privacy and contents of the transmitted communication, the information is commonly encrypted. To enable encryption, an encryption key is distributed to each of the clients utilizing the wireless network.
It is also important to assure that the client device is approved to receive an encryption key for a particular network and, conversely, that the network is approved for that particular client. It is also important that the user of the device also be approved for communication over the network. Therefore some form of authentication protocol must be employed in order to authenticate the devices, the network and the user.
There are a number of ways for a network to verify user identity in order to check whether it should grant access to its resources. For local area networks, the IEEE draft standard 802.1x/D11 specifies how to accomplish this. It establishes a basis for carrying authentication information from a supplicant to an authenticator, and optionally from the authenticator to an authentication server, in order to control access to the network by users.
In comparison to wireline networks, wireless networks have an additional problem to solve when users attempt to connect to them. Generally, wireline networks rely on protected distribution systems (e.g., conduit protected cabling, switches in locked wiring closets) to ensure the traffic they carry is not intercepted or modified in an unauthorized way. Wireless networks, on the other hand, communicate over publically accessible radio channels. Consequently, they must provide other means for protecting their traffic. Generally, this requires wireless networking devices to encrypt and integrity protect the traffic between them.
Several previous schemes have addressed the problem of user authentication, authorization and key distribution in wireless local area networks.
In one scheme, a user and the network mutually authenticate using a shared secret, generally a password. A complimentary scheme utilizes a secret shared by the user and a network to create an encryption key that can then be used to protect the confidentiality and integrity of the traffic between the user's wireless device and the network. The use of these two schemes has the advantage of securely authenticating the user and creating the encryption key.
However, as the number of access points increases, creating and managing user names and passwords stored on them becomes more difficult. In particular, if there is more than one access point in the network to which a wireless device can attach, all such devices must use a copy of the same user name/password database. This implies that when a password is changed, a user is added or a user is deleted from the database, these changes must be securely distributed to the other access points. When there are a large number of access points, it becomes difficult to keep each individual copy of the user name/password database synchronized. This can create security hazards.
To address these scaling issues, other inventions and approaches utilize a centralized database stored in a third-party system (this may store user names and passwords or other authentication information). The co-pending, commonly-owned U.S. patent application Ser. No. 09/560,396, filed Apr. 28, 2000, by Danny M. Nessett, et. al., entitled “Authenticated Diffie-Hellman Key Agreement Protocol where the Communicating Parties Share a Secret Key with a Third Party,” hereby incorporated by reference as background material, describes a scheme in which a wireless device (potentially in concert with the user employing the device) and the network create a shared encryption key using authenticated Diffie-Hellman key agreement. This key is used to confidentiality- and integrity-protect the traffic between them. During the Diffie-Hellman key agreement exchange, both the wireless device and the access point sign the information used to generate the shared secret key and this information is forwarded to a trusted third party. The signatures use a secret that the wireless device or user of the wireless device shares with the third party and a different secret that the access point shares with the third party. The trusted third party tests the signatures and if they are correct resigns the information in such a way that both the wireless device and the access point are assured that the information came from each other.
Once the exchange completes, the only parties that know the shared key are the wireless device and the access point. The trusted third party does not know the key. A disadvantage of the invention is it requires significant processing capability on both the wireless device and the access point. This can increase the cost of these devices and therefore reduce the market for them. Another disadvantage is it requires a specialized server or process to sign and resign information.
To mitigate the first disadvantage, co-pending, commonly-owned U.S. patent application Ser. No. 09/561,416, filed Apr. 28, 2000, by Danny M. Nessett, et. Al., entitled “Enhancement to Authentication Protocol That Uses a Key Lease,” hereby incorporated by reference as background material, describes a scheme in which once a wireless device and access point mutually authenticate and share a secret key, the two devices can quickly re-authenticate and re-establish this key without going through a more resource intensive protocol exchange. For example, suppose the wireless device and access point mutually authenticate and establish a shared key using the invention described in the above referenced patent application Ser. No. 09/560,396. If the wireless device loses contact with the access point, then re-establishes contact, the wireless device and access point can use the quick re-authentication scheme to mutually authenticate and establish a secret shared key without incurring the overhead inherent in the scheme described in Ser. No. 09/560,396.
Even with quick re-authentication, some wireless devices and access points may not have sufficient computational resources to execute the procedures described in patent application Ser. No. 09/560,396 in sufficient time to meet user and system requirements in some deployments. There exists one scheme which calls for offloading onto an access point server most of the computational burden necessary for the wireless device and access point to mutually authenticate and create a shared key. The scheme has the advantage of relieving this burden, but has the disadvantage of revealing the shared key to the access point server. In some deployments, this may be an acceptable risk in order to reduce the computational load on the wireless device and/or the access point. In other deployments this risk may be unacceptable. This scheme shares with the authenticated Diffie-Hellman scheme the disadvantage that it requires a specialized server or process to sign and resign information.
Others have proposed solutions to the problem of mutual authentication and shared key distribution in a wireless network. One approach uses the Extensible Authentication Protocol and EAP-TLS. In this scheme, the wireless device authenticates to an authentication server which is generally external to the access point, but in secure contact with it, using TLS with client side certificates. This protocol (with the optional client side certificates) mutually authenticates the wireless device and the authentication server (NB: not the wireless client and the access point) and establishes a shared secret between them. The authentication server then uses its secure channel to the access point to send it the shared key (precisely, the authentication server sends to the access point all of the information necessary to compute a key it will then share with the wireless device). It also vouches for the identity of the wireless device to the access point.
The advantages of this scheme are the use of standard security protocols (i.e., TLS, EAP-TLS) and the very light computational burden on the access point. The disadvantages are it requires the deployment of a public key infrastructure (to support client-side certificates) and the key shared between the wireless device and the access point is also known (technically, the information used to generate it is known) by the authentication server.
Another approach uses Kerberos, the protocol EAP-GSS, and 802.1x to mutually authenticate the wireless device and access point and to distribute a shared key between them. In this scheme, the access point acts as a Kerberos server, using the IAKERB protocol to accept and forward requests to the KDC on behalf of the wireless device (which acts as a Kerberos client). In rough overview, the wireless device contacts the KDC through the access point, receiving a ticket to the Kerberos server running on the access point. In the process the access point server gets a ticket for a (pseudo-) server running on the wireless device. The two use these tickets to mutually authenticate and to establish a shared encryption key.
An advantage of this scheme is it distributes a ticket to the wireless device, which can be used later to reconnect to the access point without an interaction with the Kerberos KDC. Another advantage is it uses standard protocols to implement some of its functionality. The disadvantages of the scheme are it requires the deployment of a Kerberos infrastructure, the key is known to the KDC as well as to the wireless device and access point, significant processing by both the wireless device and access point is required for each Kerberos transaction (e.g., the initial exchange, use of the ticket by the wireless device for re-authentication) and it uses non-standard protocols (at the time of this writing), specifically EAP-GSS and IAKERB to implement part of its functionality.
One issue that has not been discussed in regards to these schemes is how they fit into existing deployments. It is unlikely that a small business will have sufficient expertise and resources to implement any kind of security infrastructure. Consequently, the schemes described in co-pending, commonly-owned U.S. patent application Ser. No. 09/561,088, filed Apr. 28, 2000, by Albert Young, et. al., entitled “Protected Mutual Authentication Over an Unsecured Wireless Communication Channel,” and Ser. No. 09/900,617, filed Jul. 6, 2001, by Danny M. Nessett, et. al, entitled “Using a Key Lease in a Secondary Authentication Protocol After a Primary Authentication Protocol Has Been Performed,” hereby incorporated by reference as background material, are generally advantageous in these types of deployments.
Small and medium enterprises also may not have the expertise and resources to implement a significant security infrastructure, in which case they are in the same position as a small business. However, another issue for small, medium and large enterprises is how these schemes fit into an existing deployment. One consideration is which authentication server to use.
Almost without exception, remote access to enterprise networks uses a RADIUS server to control user access to it. If enterprises supporting remote access use a different user authentication server for wireless network protection than a RADIUS server, they will either have to find a way to combine the two server databases or maintain and manage the authentication databases separately, one for remote access and one for access to the wireless network. Both of these strategies are particularly difficult when one of the user authentication servers is a Kerberos KDC, since it does not store the passwords associated with a user name directly. Rather, it stores a hash of the password, which it uses as an encryption key.
Attempting to combine a RADIUS server and Kerberos KDC by using a common authentication database would require either the storage of passwords (which the KDC would then have to convert dynamically to encryption keys) or using the hashed passwords as the secret used by the RADIUS server and client for authentication. The former approach violates one of the design objectives of Kerberos, which is to avoid storing passwords on the server. No known Kerberos KDC implementation supports this. The latter approach is impractical, since widely deployed remote access clients do not transform passwords into authentication data using the Kerberos transformation algorithm.
There is another scheme that addresses the problem of combining the authentication databases for wireless network protection and remote access. For wireless network protection, it splits the mutual authentication and key distribution steps into two stages. It does this by holding device identifiers and shared secrets associated with those identifiers on access points and client devices and holding user identifiers on a centralized user authentication database.
This scheme uses this data in the following way. First, the network and client device mutually authenticate using the device identifier and its associated shared secret. During this process a key is generated to protect communications between the two. Once this is complete, the user authenticates to the network through a central authentication server that has access to the centralized user authentication database. This database can be used for user authentication to control access to the wireless network and to control access to the network from a remote location.
Only this latter scheme supports the use of a common remote access and wireless network user authentication database for deployments using standard remote access mechanisms. However, this scheme doesn't scale. For deployments with a large number of access points, managing the client identifiers and shared secrets on each in a way that keeps the data synchronized is very difficult.
What is needed is a method and system for mutually authenticating the user device and the access point. What also is needed is a key that can be used by the user device and access point to protect their communications. Once communications between the user device and access point are protected, the user device needs to utilize the user's identification for user authentication to the network using a centralized authentication system. What also is needed is a common authentication database for both wireless network access and remote access without introducing significant computational burden on either the user device or access point.